Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Health Privacy/HIPAA

Health IT Regulator Updates Guidance on Privacy and Security

HealthIT.govIn an effort to help members of the health IT community better understand the federal laws relating to interoperability, the Office of the National Coordinator for Health Information Technology (ONC), part of the Department of Health and Human Services, has published a revised Guide to Privacy and Security of Electronic Health Information.  Originally published in 2011, the updated document includes new insights about privacy- and security-related issues that will help providers, health IT professionals, vendors, and the public at large understand the different potentially applicable federal laws and incentive programs and how they fit together. Continue Reading

Posted in News & Events

Hogan Lovells Privacy Practice Honored With “Team of the Year” Award by Chambers

2015 Chambers award winnerHogan Lovells is pleased to announce that its Privacy and Information Management practice has been named “Privacy & Data Security Team of the Year” by Chambers USA.

Hogan Lovells was bestowed with the accolade at the Chambers USA Awards Ceremony and Dinner at Cipriani in New York City on 19 May.

The awards honor the work of national and international law firms across the region on the basis of research for the 2015 edition of Chambers USA. They recognize a law firm’s pre-eminence in the United States. They also reflect notable achievements over the past 12 months including outstanding work, impressive strategic growth, and excellence in client service. Continue Reading

Posted in Consumer Privacy

FTC’s Latest Location-Tracking Settlement Reminds Companies to Mind Any Gap Between What They Say and What They Do

ftc-logoOn April 23, the FTC accepted an administrative consent order with Nomi Technologies, Inc., which uses mobile device tracking technology to provide analytics services to retailers through its “Listen” service.  At first blush, the action appears to involve a straightforward alleged misrepresentation in a privacy policy, but the two dissenting statements from Commissioner Wright and Commissioner Ohlhausen reveal more complex legal and policy issues.  The settlement provides useful insights into how the current Chairwoman and Commissioners view deception cases on data privacy issues.  It also affirms that a company’s public statements must be accurate, but suggests that voluntary promises relating to privacy should be made cautiously.   Continue Reading

Posted in International/EU Privacy

Hogan Lovells Partner Considers Potential CJEU Ruling on Safe Harbor

us-eu-flag-shutterstock_101051197-250The fact that the Safe Harbor framework is permanently in the firing line is not particularly earth-shattering, but the prospect of the top European court declaring its inadequacy later this year could have dramatic consequences. This prospect became all the more possible after a hearing at the Court of Justice of the European Union (CJEU) in Luxembourg in March.  In an article published in the May 2015 issue of Privacy Laws & Business International Report, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, explores the policy climate that led to the CJEU’s potential reckoning of the Safe Harbor and the potential consequences of the eventual ruling.

To read “Safe Harbor in the Dock,” click here.

Posted in Privacy & Security Litigation

Supreme Court Grants Cert in Case That May Shed Light on Statutory Standing Limits in Consumer Privacy Lawsuits

Supreme Court SealLast week, the Supreme Court granted certiorari in Spokeo, Inc. v. Robins, a case that may significantly impact the ability of plaintiffs to sue in federal court based solely on an alleged infringement of statutory rights.  Plaintiffs often allege violation of statutory rights in privacy cases where standing for common law causes of action has proven more difficult to demonstrate and dismissal more frequent.  A ruling from Supreme Court could upend this strategy, forcing plaintiffs to allege more than just a statutory injury across all their claims. Continue Reading

Posted in Privacy & Security Litigation

Plaintiffs Increasingly Seek to Stretch Scope of VPPA

VPPA VHSTwo recent rulings in lawsuits against streaming video services under the Video Privacy Protection Act (VPPA) have tested the limits of those services’ VPPA compliance.  The VPPA, enacted in 1988, prohibits the knowing disclosure of certain information about a consumer that “identifies a person as having requested or obtained specific video materials.”  The actions described below address first, the relationship a person must have with a streaming service to be considered a “consumer” under the VPPA and second, the connection between a consumer’s identity and the identity of specific video material disclosed to a third party that a plaintiff must demonstrate when stating a VPPA claim. Continue Reading

Posted in Health Privacy/HIPAA, International/EU Privacy

The Treatment of Health Data Under the EU Data Protection Regulation – Cause for Hope?

European Council - 2015 LogoOn 9 March, the Council of the EU issued a partial general approach on a key chapter (Chapter II) of the EU Data Protection Regulation which has implications for the regulation of health data. The Council’s stance has been welcomed by a number of healthcare commentators as it promotes a more flexible approach to the use of health data and accords with the tenor of the revised version of the draft Regulation that emerged from the Council in December last year. Continue Reading

Posted in International/EU Privacy

The CNIL Simplifies Formalities Regarding the Implementation of Binding Corporate Rules

CNIL LogoOn 24 March, the French data protection authority (Commission Nationale de l’Informatique et Libertés – the “CNIL”) announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs).  BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data (covered by EU Data Protection Directive 95/46/EC) which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission.  In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data.  Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally. Continue Reading

Posted in International/EU Privacy

Hogan Lovells Hong Kong Event: Data Privacy Regulation in Asia – A Practical Way Forward to Compliance

Asia Globe BinaryOn Thursday, 14 May, Hogan Lovells data protection lawyers Mark Parsons and Eugene Low will host an in-person discussion at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus will be on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussion will also consider steps to be taken to prepare for and react to breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.

Few areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region.

The compliance challenge for Asia is complicated by a patchwork of differing regimes, each grounded in differing policy rationales and points of focus. The playing field is not just uneven, but also constantly shifting. Data security breaches feature in Asian news headlines as they do across the globe and this supports the “event driven” nature of legislative change.

Rapid advances in the technology deployed by businesses enhances opportunities but also raises risks. The use of mobile technologies, for example, creates new avenues for reaching consumers, but at the same time places businesses in the cross-hairs of ever increasing regulatory scrutiny. Consolidating databases and enabling remote access to data can bolster productivity, but at the same time create frictions with Asia’s increasing tendency towards cross-border transfer restrictions.

More information about the event is available here. To RSVP, please e-mail hkevent@hoganlovells.com. The presentation portion of the event will be recorded and a link to it will be posted on this blog after the event.


Posted in Cybersecurity & Data Breaches

FCC Seeks Comment on Cybersecurity Recommendations for Communications Providers

CSRIC LogoThe U.S. Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau (Bureau) has requested public input on a recent report on Cybersecurity Risk Management and Best Practices (Report) by the Communications Security, Reliability and Interoperability Council (CSRIC) for communications providers.  The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity.  Comments are due May 29, with replies due June 26. Continue Reading